1.17.0 (January 11, 2021)¶
Incompatible Behavior Changes¶
Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required
config: v2 is now fatal-by-default. This may be overridden by setting
--bootstrap-version 2on the CLI for a v2 bootstrap file and also enabling the runtime
Minor Behavior Changes¶
Changes that may cause incompatibilities for some users, but should not for most
build: the Alpine based debug images are no longer built in CI, use Ubuntu based images instead.
decompressor: set the default value of window_bits of the decompressor to 15 to be able to decompress responses compressed by a compressor with any window size.
expr filter: added
grpc_web filter: if a
grpc-accept-encodingheader is present it’s passed as-is to the upstream and if it isn’t
grpc-accept-encoding:identityis sent instead. The header was always overwriten with
http: upstream protocol will now only be logged if an upstream stream was established.
jwt_authn filter: added support of JWT time constraint verification with a clock skew (default to 60 seconds) and added a filter config field clock_skew_seconds to configure it.
listener: injection of the TLS inspector has been disabled by default. This feature is controlled by the runtime guard
lua: added always_wrap_body argument to body() API to always return a buffer object even if the body is empty.
memory: enabled new tcmalloc with restartable sequences for aarch64 builds.
mongo proxy metrics: swapped network connection remote and local closed counters previously set reversed (
outlier detection: added max_ejection_time to limit ejection time growth when a node stays unhealthy for extended period of time. By default max_ejection_time limits ejection time to 5 minutes. Additionally, when the node stays healthy, ejection time decreases. See ejection algorithm for more info. Previously, ejection time could grow without limit and never decreased.
performance: improved performance when handling large HTTP/1 bodies.
tcp_proxy: now waits for HTTP tunnel to be established before start streaming the downstream data, the runtime guard
envoy.reloadable_features.http_upstream_wait_connect_responsecan be set to “false” to disable this behavior.
tls: removed RSA key transport and SHA-1 cipher suites from the client-side defaults.
watchdog: the watchdog action abort_action is now the default action to terminate the process if watchdog kill / multikill is enabled.
xds: to support TTLs, heartbeating has been added to xDS. As a result, responses that contain empty resources without updating the version will no longer be propagated to the subscribers. To undo this for VHDS (which is the only subscriber that wants empty resources), the
envoy.reloadable_features.vhds_heartbeatscan be set to “false”.
Changes expected to improve the state of the world and are unlikely to have negative effects
config: validate that upgrade configs have a non-empty upgrade_type, fixing a bug where an errant “-” could result in unexpected behavior.
dns: fixed a bug where custom resolvers provided in configuration were not preserved after network issues.
dns_filter: correctly associate DNS response IDs when multiple queries are received.
grpc mux: fixed sending node again after stream is reset when set_node_on_first_message_only is set.
http: fixed URL parsing for HTTP/1.1 fully qualified URLs and connect requests containing IPv6 addresses.
http: reject requests with missing required headers after filter chain processing.
http: sending CONNECT_ERROR for HTTP/2 where appropriate during CONNECT requests.
proxy_proto: fixed a bug where the wrong downstream address got sent to upstream connections.
proxy_proto: fixed a bug where network filters would not have the correct downstreamRemoteAddress() when accessed from the StreamInfo. This could result in incorrect enforcement of RBAC rules in the RBAC network filter (but not in the RBAC HTTP filter), or incorrect access log addresses from tcp_proxy.
sds: fixed a bug that clusters sharing same sds target are marked active immediately.
tls: fixed detection of the upstream connection close event.
tls: fixed read resumption after triggering buffer high-watermark and all remaining request/response bytes are stored in the SSL connection’s internal buffers.
udp: fixed issue in which receiving truncated UDP datagrams would cause Envoy to crash.
watchdog: touch the watchdog before most event loop operations to avoid misses when handling bursts of callbacks.
Removed Config or Runtime¶
Normally occurs at the end of the deprecation period
dispatcher: removed legacy socket read/write resumption code path and runtime guard
ext_authz: removed auto ignore case in HTTP-based
ext_authzheader matching and the runtime guard
envoy.reloadable_features.ext_authz_http_service_enable_case_sensitive_string_matcher. To ignore case, set the ignore_case field to true.
ext_authz: the deprecated field
use_alphais no longer supported and cannot be set anymore.
envoy.reloadable_features.http1_flood_protectionand legacy code path for turning flood protection off.
envoy.reloadable_features.new_codec_behaviorand legacy codecs.
compression: the compressor filter added support for compressing request payloads. Its configuration is unified with the decompressor filter with two new fields for different directions - requests and responses. The latter deprecates the old response-specific fields and, if used, roots the response-specific stats in <stat_prefix>.compressor.<compressor_library.name>.<compressor_library_stat_prefix>.response.* instead of <stat_prefix>.compressor.<compressor_library.name>.<compressor_library_stat_prefix>.*.
config: added new runtime feature
envoy.features.enable_all_deprecated_featuresthat allows the use of all deprecated features.
crash support: added the ability to dump L4 connection data on crash.
formatter: added new text_format_source field to support format strings both inline and from a file.
grpc-json: added support for configuring unescaping behavior for path components.
hds: added support for delta updates in the HealthCheckSpecifier, making only the Endpoints and Health Checkers that changed be reconstructed on receiving a new message, rather than the entire HDS.
health_check: added option to use no_traffic_healthy_interval which allows a different no traffic interval when the host is healthy.
http: added HCM request_headers_timeout config field to control how long a downstream has to finish sending headers before the stream is cancelled.
http: added frame flood and abuse checks to the upstream HTTP/2 codec. This check is off by default and can be enabled by setting the
envoy.reloadable_features.upstream_http2_flood_checksruntime key to true.
http: added stripping any port from host header support.
jwt_authn: added support for per-route config.
kill_request: added new HTTP kill request filter.
listener: added back the use_original_dst field.
listener: added the Listener.bind_to_port field.
log: added a new custom flag
%_to the log pattern to print the actual message to log, but with escaped newlines.
lua: added downstreamDirectRemoteAddress() and downstreamLocalAddress() APIs to streamInfo().
mongo_proxy: the list of commands to produce metrics for is now configurable.
network: added a transport_socket_connect_timeout config field for incoming connections completing transport-level negotiation, including TLS and ALTS hanshakes.
ratelimit: added support for use of various metadata as a ratelimit action.
ratelimit: added disable_x_envoy_ratelimited_header option to disable X-Envoy-RateLimited header.
ratelimit: added body field to support custom response bodies for non-OK responses from the external ratelimit service.
ratelimit: added descriptor extensions.
ratelimit: added computed descriptors.
ratelimit: added dynamic_metadata field to support setting dynamic metadata from the ratelimit service.
router: added support for regex rewrites during HTTP redirects using regex_rewrite.
signal: added an extension point for custom actions to run on the thread that has encountered a fatal error. Actions are configurable via fatal_actions.
start_tls: added new transport socket which starts in clear-text but may programatically be converted to use tls.
tcp: added a new envoy.overload_actions.reject_incoming_connections action to reject incoming TCP connections.
thrift_proxy: added a new payload_passthrough option to skip decoding body in the Thrift message.
tls: added support for RSA certificates with 4096-bit keys in FIPS mode.
tracing: added SkyWalking tracer.
tracing: added support for setting the hostname used when sending spans to a Zipkin collector using the collector_hostname field.
cluster: HTTP configuration for upstream clusters has been reworked. HTTP-specific configuration is now done in the new http_protocol_options message, configured via the cluster’s extension_protocol_options. This replaces explicit HTTP configuration in cluster config, including upstream_http_protocol_options common_http_protocol_options http_protocol_options http2_protocol_options and protocol_selection. Examples of before-and-after configuration can be found in the http_protocol_options docs and all of Envoy’s example configurations have been updated to the new style of config.
compression: the fields content_length, content_type, disable_on_etag_header, remove_accept_encoding_header and runtime_enabled of the Compressor message have been deprecated in favor of response_direction_config.
--log-format-prefix-with-locationoption is removed.
--use-fake-symbol-tableoption is removed.